Home/ Questions/Q 578257
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T14:14:27+00:00

As you might know, browser’s security model does not allow a script loaded in

  • 0

As you might know, browser’s security model does not allow a script loaded in a page from http://www.example.com to make cross-domain requests (no AJAX calls to any other domain other than http://www.example.com). The Javascript file itself could have been served from a different domain altogether (www.javascript.com/myscript.js) and that is irrelevant. This is the Same-Origin Policy.

Flash also has something similar? But does Flash treat the origin to be the HTML page where the .swf file was loaded or origin is the domain which served the .swf file?

So http://www.example.com loads a .swf file from http://www.swf.com/myflash.swf. Now .swf can load resources only from http://www.example.com or only http://www.swf.com? I’m assuming there are no cross-domain.xml files setup on either example.com or swf.com.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think, this article explains a lot about the problem you mention: http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html

    From there:

    For website owners, all user-supplied
    content should be served from a
    completely separate domain. This is
    already implemented by Yahoo mail,
    Hotmail, Wikipedia, and many other
    major websites, but a huge variety of
    self-contained web applications do not
    do so (and if I can, for example,
    upload a malicious file to
    “apiwiki.twiitter.com”, I can perform
    cross-subdomain cookie attacks). A
    partial solution was made possible by
    Flash 10,0,0,2: SWF files served with
    a “content-Disposition: attachment”
    header will not execute when embedded
    in a web page. If all user-generated
    content is served with this header
    (not a bad idea in any case), it may
    limit your exposure, but this is not a
    very robust solution.

    It sounds like if you serve the content from a different domain and there are no cross-domain policy files, then flash cannot access files from your main server.

    Also, this article: http://supergeekery.com/index.php/geekblog/2009/12 states that

    And everything I write should be able
    to trust each other and share with
    each other. You may wonder if Flash
    Ads are a problem. Do they have this
    problem? No, there are Flash ads all
    over the internet, but since they are
    almost never hosted on the same server
    as the domain you’re visiting, they
    don’t get to access the data the web
    site’s primary code’s data    . Cool.

    • 0